Loose Canons

NATO and Cyberwar: Will Britain Invoke Article 5?

When is a cyberattack on one member an attack on all them?

On November 19, 1919, Congress rejected the Versailles Treaty ending World War I and with it the charter of the League of Nations which was a key part of it. Principal among the reasons for the treaty’s rejection was a provision that committed the United States, along with the other members of the League, to the mutual defense of any member that was attacked militarily. Because treaties are the supreme law of the land — second only to the Constitution — Congress refused to surrender its power to declare war.

Almost thirty years later, Congress ratified the NATO Treaty despite the fact that Article 5 of that treaty contains the same mutual defense commitment. By ratifying that treaty, Congress declared war pre-emptively against any nation or non-state actor that attacked a NATO member.

With the accession of tiny Montenegro — militarily as capable as the Duchy of Grand Fenwick minus the “Q bomb” — NATO now has 29 member nations the United States is committed to defend.

Since 1949, the only time Article 5 has been invoked was after the 9/11 attacks on America. NATO, or at least most of its members, has joined us in the wars in Afghanistan and Iraq. Some NATO troops remain in Afghanistan after nearly sixteen years of war.

The threats of war that were recognized in 1949 have evolved as much as war itself. Every NATO member, including the U.S., has ignored the need to adapt the NATO Treaty to the 21st century.

As we celebrate our independence from Britain, we need to remember that they are now one of our most important allies. What they say deserves our attention and thought.

Last week UK Defense Minister Sir Michael Fallon, speaking about the recent cyberattack on the UK Parliament, suggested that his nation might respond to future cyberattacks with airstrikes or other military action. The clear implication is that the UK might invoke Article 5 to obtain NATO support for such military action.

No one considered cyberattacks when the NATO Treaty was signed because computer technology was in its infancy. But that is not to say that Article 5 is inapplicable to cyberattacks. The question boils down to this: When does a cyberattack constitute an act of war? There is no definition of a cyberattack in the NATO Treaty or elsewhere in international law.

Cyber espionage is a commonplace. U.S. defense contractors and government networks, including those of the intelligence agencies, are subjected to thousands, perhaps tens of thousands, of cyberespionage attempts each day. Some succeed because every defense to them is penetrable eventually.

But cyberespionage is not cyberwar for one principal reason: it does no physical harm. Espionage only benefits the spy who remains undetected. People aren’t injured or killed, computer networks aren’t destroyed, and neither military nor civilian targets — aircraft, the electricity power grid, and such — are destroyed or damaged. Obviously, the cyberespionage or “hacking” that penetrated the UK Parliament email system wasn’t an act of war.

Everyone who saw the Bruce Willis movie Live Free or Die Hard knows that cyberterrorism is not cyberespionage. The former can take down power grids, disrupt or rob financial networks, and kill people.

But there’s a great deal more that cyberterrorists or nations acting against their adversaries can do. Some of those cyberattacks can — and probably should — be classified as acts of war.

Let’s get organized. Cyberespionage isn’t cyberwar. We do it as much as every other nation (and, I hope, more). It’s the cost of doing business on the internet.

Leakers aren’t the issue. Leakers are traitors and should be caught and punished whenever possible. When CIA Director Mike Pompeo said that WikiLeaks was acting as a hostile intelligence service he was precisely right. But WikiLeaks, and others like them, are only as good as the leakers who feed them documents and data.

“Hacking” is a term that has lost its meaning because of its ubiquity. For the purposes of this discussion, let’s exclude the innocent (or criminal) acts of individuals, governments, and terrorists gaining access to others’ emails and browser histories. As bad as they may be, they’re not acts of war.

But there is precedent for a definition of cyber acts of war.

In April 2007, the government of Estonia was subjected to a sustained cyberattack that lasted for weeks and effectively prevented Estonia’s government from functioning. The attack was almost certainly made by Russia, which naturally denied its involvement.

Estonia had become a member of NATO three years earlier. It didn’t have the capability to retaliate against Russia but it could have invoked Article 5 of the NATO treaty to require participation in any military strike against Russia by the U.S. and other members. But the Russian cyberattack was, at worst, a marginal case under Article 5. Moreover no one, least of all the NATO members who are woefully deficient in defense spending, wanted to go to war over what the press characterized as a “hacking” incident.

Other cyberattacks were more clearly acts of war. For example, in 2007 the computer controls of many of Iran’s uranium enrichment centrifuges were penetrated by what reportedly was the “Stuxnet” computer worm that caused the centrifuges to run at excessive speed, destroying themselves. Other Iranian computer networks were also affected, bringing them down for a time.

It’s almost certain that the Stuxnet attack emanated from either the United States or Israel and perhaps both. Stuxnet went far beyond espionage or “hacking” by materially damaging, and thus setting back, Iran’s nuclear weapons program. Because of its effects, the Stuxnet attacks were acts of war but Iran didn’t claim them as such mainly because, at the time, it didn’t have the capability to respond militarily.

Let’s set the baseline. Our nation spends billions of dollars a year trying, with only middling success, to protect our cyber networks — government, commercial, and private — in a way that reduces but clearly doesn’t eliminate the worst threats of cyberwar, including sabotage.

In setting the baseline we have to recognize that everything from most cars produced in the past ten years, to nuclear reactors, satellites, and fighter aircraft — the F-35 is probably the best (i.e., worst) example — are susceptible of cyberattack that can literally take over their controls and prevent them from performing their most essential missions. That vulnerability is limited only by the effectiveness of enemies’ efforts to penetrate their cyber defenses.

In March 2015 Adm. Mike Rogers, NSA Director and commander of U.S. Cyber Command, told the Senate Armed Services Committee in open session that the U.S. government’s efforts to deter enemy cyberattacks weren’t working. Further, he said that we needed to increase our offensive cyberattack capabilities in order to create a deterrent effect. As a statement of the problem and not as an afterthought, Rogers said that then-President Obama hadn’t delegated to him the authority to deploy offensive tools.

There is no reason to think that much has improved since then.

Now, we have one of our principal allies saying that at some point they may respond to a cyberattack with military action that would implicate all NATO members under Article 5. Thus, Article 5 needs to be amended to define what cyber events constitute an act of war on which the invocation of Article 5 can be justified.

This is not a trivial exercise, but let’s take a crack at it.

To constitute an act of war, thereby justifying the invocation of Article 5, a cyberattack should be defined as an act by a nation or non-state actor such as a terrorist network that: (a) is performed by an identifiable actor and (b) attempted to cause or succeeded in causing physical injury to people or property (including damage to computer software) on a significant scale or (c) had the effect of preventing a government from employing its defense assets in peacetime or otherwise defending some or all of its citizens from harm.

The definition I propose is relatively simple. If a nation, or a non-state actor such as a terrorist network, commits a cyberattack that kills or injures people on a large scale or damages or destroys a significant amount of government or personal property, the event should be defined as an act of war. Taking control of an F-35, preventing it from navigating, using its weapons or even causing it to crash, would fit the definition. The Stuxnet attack on Iran would also fit.

Amending Article 5 to include a definition of cyberattacks would both limit it to properly prevent member states from using it to justify military action on baseless grounds and put enemy states on notice that certain cyberattacks are off-limits. As war evolves, so must the law of war.